Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine

Category	Details
Threat Actors	Secret Blizzard (linked to Turla, Waterbug, Venomous Bear, etc.), overlaps with Center 16 of Russia’s FSB. Storm-1837 also mentioned.
Campaign Overview	Espionage campaigns targeting Ukrainian military devices using co-opted infrastructure and tools from other threat actors.
Target Regions	Ukraine (Ukrainian military, ministries, defense-related entities).
Methodology	Spear phishing, adversary-in-the-middle attacks, strategic web compromises, leveraging commandeered malware (e.g., Amadey bot).
Product Targeted	Microsoft Defender (identified through evasion checks), Ukrainian front-line devices (e.g., Starlink IPs).
Malware Reference	Tavdig backdoor, KazuarV2 backdoor, Amadey bot, Storm-1837 PowerShell backdoor, Griselda Android backdoor.
Tools Used	RC4 encryption, PowerShell droppers, DLL sideloading with legitimate binaries, reconnaissance tools, cmdlets, plugins for data collection.
Vulnerabilities Exploited	Exploitation of shared infrastructure, use of Amadey MaaS, and DLL sideloading vulnerabilities.
TTPs	Lateral movement, reconnaissance, data exfiltration, multi-stage payload deployment, use of third-party footholds for espionage.
Attribution	Attributed to Russian state-sponsored actors, specifically Center 16 of FSB, with overlaps to other known groups (e.g., Turla).
Recommendations	Strengthen Microsoft Defender configurations, enable tamper protection, monitor PowerShell scripts, implement attack surface reduction rules, and conduct proactive threat hunting.
Source	Microsoft Threat Intelligence blog.

Read full article: https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/

The above summary has been generated by an AI language model